Fixing issues when using sync-clients with owncloud on apache 2.4 and php-fpm

I recently upgraded from debian wheezy (7.x) to debian jessie (8.x). Apache has been upgraded from 2.2.x to 2.4.x And everything was working fine after some minor tweaks.

I was able to use owncloud with the webinterface (yea, using a browser), but my mobile devices, webmail and local mailclient could not connect to owncloud anymore.

tldr; One must add

SetEnvIf Authorization "(.+)" HTTP_AUTHORIZATION=$$1

to the apache vhost configuration to pass authorization headers to owncloud.

apache 2.2 + php-fpm using mod_fastcgi

This was my setup on apache 2.2.x and php-fpm via mod_fastcgi. I wont post the php-fpm pool configuration here as that has not changed and is pretty straight forward to configure…

<VirtualHost *:443>
    ServerName owncloud.example.com

    DocumentRoot /home/owncloud/www/owncloud.example.com/
    <Directory /home/owncloud/www/owncloud.example.com/>
        AllowOverride All
        Options FollowSymLinks -Indexes IncludesNoExec
    </Directory>

    FileETag None
    <IfModule mod_headers.c>
        Header unset Pragma
        Header unset ETag
        Header append Cache-Control "public"
    </IfModule>
    <IfModule mod_expires.c>
        <FilesMatch "\.(ico|pdf|flv|jpg|jpeg|png|gif|swf|mp3|mp4|css|js|svg)$">
            ExpiresActive On
            ExpiresDefault "access plus 1 week"
        </FilesMatch>
    </IfModule>

    <IfModule mod_fastcgi.c>
        AddHandler php5-fcgi .php
        Action php5-fcgi /php5-fcgi-owncloud
        Alias /php5-fcgi-owncloud /usr/lib/cgi-bin/php5-fcgi-owncloud
        FastCgiExternalServer /usr/lib/cgi-bin/php5-fcgi-owncloud -host 127.0.0.1:9004 -pass-header Authorization -flush -idle-timeout 330
    </IfModule>

    <IfModule mod_ssl.c>
    ...
    ...
    </IfModule>
</VirtualHost>

apache 2.4 + php-fpm using mod_proxy_fcgi

The following is the new vhost configuration for apache 2.4. It uses proxy_fcgi to pass requests to php-fpm. There are also several minor differences between the two:

  • Require all granted
  • must add + / - before all Options
  • do not use fastcgi anymore but prefer proxy_fcgi
  • pass authorization headers to proxy_fcgi too

Thats the resulting vhost config:

<VirtualHost *:443>
    ServerName owncloud.example.com

    DocumentRoot /home/owncloud/www/owncloud.example.com/
    <Directory /home/owncloud/www/owncloud.example.com/>
        Require all granted
        AllowOverride All
        Options +FollowSymLinks -Indexes +IncludesNoExec
    </Directory>

    FileETag None
    <IfModule mod_headers.c>
        Header unset Pragma
        Header unset ETag
        Header append Cache-Control "public"
    </IfModule>
    <IfModule mod_expires.c>
        <FilesMatch "\.(ico|pdf|flv|jpg|jpeg|png|gif|swf|mp3|mp4|css|js|svg)$">
            ExpiresActive On
            ExpiresDefault "access plus 1 week"
        </FilesMatch>
    </IfModule>

    <IfModule mod_proxy_fcgi.c>
        SetEnvIf Authorization "(.+)" HTTP_AUTHORIZATION=$$1
        ProxyPassMatch ^/(.*\.php(/.*)?)$ fcgi://127.0.0.1:9004/home/owncloud/www/owncloud.example.com/$$1
    </IfModule>

    <IfModule mod_ssl.c>
    ...
    ...
    </IfModule>
</VirtualHost>

Without the line

    SetEnvIf Authorization "(.+)" HTTP_AUTHORIZATION=$$1

Owncloud will function in the browser correctly, but sync clients like smartphones, tablets, mailclients (contacts, etc) will force the following apache errorlog entries:

xx.xx.xx.xx - - [13/May/2015:23:53:59 +0200] "PROPFIND /remote.php/carddav/addressbooks/croessler/contacts4 HTTP/1.1" 401 5267 "-" "RIM"
xx.xx.xx.xx - - [13/May/2015:23:54:00 +0200] "PROPFIND /remote.php/caldav/calendars/croessler/personal/ HTTP/1.1" 401 5267 "-" "RIM"
xx.xx.xx.xx - - [13/May/2015:23:54:02 +0200] "PROPFIND /remote.php/caldav/calendars/croessler/personal/ HTTP/1.1" 401 1445 "-" "RIM"
xx.xx.xx.xx - - [13/May/2015:23:54:05 +0200] "PROPFIND /remote.php/carddav/addressbooks/croessler/contacts4 HTTP/1.1" 401 1445 "-" "RIM"
xx.xx.xx.xx - - [13/May/2015:23:54:11 +0200] "PROPFIND /remote.php/carddav/addressbooks/croessler/contacts4 HTTP/1.1" 401 1445 "-" "RIM"

The client got a http 401 (authorization failed) reponse. Therefore one must pass http-authorization-headers sent by the clients to php-fpm scripts. If done correctly apache errorlog looks like this:

xx.xx.xx.xx - - [14/May/2015:00:00:07 +0200] "PROPFIND /remote.php/carddav/addressbooks/foo/contacts4 HTTP/1.1" 207 5507 "-" "RIM"

Of course one must enable/activate the apache module proxy_fcgi by issuing

a2enmod proxy_fcgi

Must go to bed now.

Previous: Use curl to get connect and download times for http requests
Next: Qemu: Error starting Domain - internal Network 'default' is not active